2a59679766
* separate TLS options from server options (because we need them for dialing too) * stop creating transports in multiple places * ensure that we actually check revocation, whitelists, certificate signing, etc, for all connections.
94 lines
2.2 KiB
Go
94 lines
2.2 KiB
Go
// Copyright (C) 2019 Storj Labs, Inc.
|
|
// See LICENSE for copying information.
|
|
|
|
package tlsopts
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"io/ioutil"
|
|
|
|
"github.com/zeebo/errs"
|
|
monkit "gopkg.in/spacemonkeygo/monkit.v2"
|
|
|
|
"storj.io/storj/pkg/identity"
|
|
"storj.io/storj/pkg/peertls"
|
|
"storj.io/storj/pkg/pkcrypto"
|
|
)
|
|
|
|
var (
|
|
mon = monkit.Package()
|
|
// Error is error for tlsopts
|
|
Error = errs.Class("tlsopts error")
|
|
)
|
|
|
|
// Options holds config, identity, and peer verification function data for use with tls.
|
|
type Options struct {
|
|
Config Config
|
|
Ident *identity.FullIdentity
|
|
RevDB *identity.RevocationDB
|
|
PCVFuncs []peertls.PeerCertVerificationFunc
|
|
Cert *tls.Certificate
|
|
}
|
|
|
|
// NewOptions is a constructor for `tls options` given an identity and config
|
|
func NewOptions(i *identity.FullIdentity, c Config) (*Options, error) {
|
|
opts := &Options{
|
|
Config: c,
|
|
Ident: i,
|
|
}
|
|
|
|
err := opts.configure(c)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return opts, nil
|
|
}
|
|
|
|
// configure adds peer certificate verification functions and revocation
|
|
// database to the config.
|
|
func (opts *Options) configure(c Config) (err error) {
|
|
var pcvs []peertls.PeerCertVerificationFunc
|
|
parseOpts := peertls.ParseExtOptions{}
|
|
|
|
if c.UsePeerCAWhitelist {
|
|
whitelist := []byte(DefaultPeerCAWhitelist)
|
|
if c.PeerCAWhitelistPath != "" {
|
|
whitelist, err = ioutil.ReadFile(c.PeerCAWhitelistPath)
|
|
if err != nil {
|
|
return Error.New("unable to find whitelist file %v: %v", c.PeerCAWhitelistPath, err)
|
|
}
|
|
}
|
|
parsed, err := pkcrypto.CertsFromPEM(whitelist)
|
|
if err != nil {
|
|
return Error.Wrap(err)
|
|
}
|
|
parseOpts.CAWhitelist = parsed
|
|
pcvs = append(pcvs, peertls.VerifyCAWhitelist(parsed))
|
|
}
|
|
|
|
if c.Extensions.Revocation {
|
|
opts.RevDB, err = identity.NewRevDB(c.RevocationDBURL)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
pcvs = append(pcvs, identity.VerifyUnrevokedChainFunc(opts.RevDB))
|
|
}
|
|
|
|
exts := peertls.ParseExtensions(c.Extensions, parseOpts)
|
|
pcvs = append(pcvs, exts.VerifyFunc())
|
|
|
|
// NB: remove nil elements
|
|
for i, f := range pcvs {
|
|
if f == nil {
|
|
copy(pcvs[i:], pcvs[i+1:])
|
|
pcvs = pcvs[:len(pcvs)-1]
|
|
}
|
|
}
|
|
|
|
opts.PCVFuncs = pcvs
|
|
|
|
opts.Cert, err = peertls.TLSCert(opts.Ident.ChainRaw(), opts.Ident.Leaf, opts.Ident.Key)
|
|
return err
|
|
}
|